Reducing Security Risks in Cloud Computing

Two recent events have exposed the dark sides of cloud computing for both businesses and consumers.

These incidents—the partial outage of Amazon’s EC2 cloud service and the security breach of Sony’s PlayStation Network and Qriocity music service—underscore a key issue of the cloud computing model: customers’ lack of control over their data.

But they’ve also shed light on realities that need to be confronted if cloud computing is to live up to the hype as the next big thing in computing.

Although industry experts say there are no indications that businesses are delaying cloud computing projects, these events have highlighted the need for cloud customers to perform better due diligence. It’s also made clear the need for a standard set of best practices, which experts say will help instill confidence that data stored in the cloud will be handled securely, reliably, and in compliance with various regulations.

Cloud Computing - A CNBC Special Report

“Businesses are still going forward with new projects,” says Jim Reavis, executive director of the Cloud Security Alliance. “But they’ve tended to look at the specifics of their deployment and ask, What lessons can we learn from the Amazon issue, and do we need to change anything in our deployment?”

Inherent Risks

Reliability and security are customers’ main concerns about cloud computing. Jay Heiser, research vice president at Gartner, notes that cloud providers have a long way to go when it comes to proving their ability to recover from a significant outage. Although Google successfully restored e-mail messages that were lost during a Gmail outage earlier this year, Heiser says the amount of time it took to recover is hardly comforting.

"Providers have a responsibility to be a lot more transparent in exactly what they’re doing—how they’re securing systems, how they’re managing data, how they delete data, how they provision systems."-Cloud Security Alliance, Jim Reavis

“It took four days to recover 0.02 percent of the users of a single service,” he says. “That raises the question of how long it would take to restore a bigger event. If one percent of Gmail users were impacted, would it take 200 days to restore service? I don’t know how a provider can give their customers some level of assurance that they can quickly restore after an unforeseen accident happens.”

And Terry Woloszyn, founder of PerspecSys, an Orangeville, Ontario-based developer of cloud data governance solutions, says that as cloud computing becomes more popular, the providers become bigger targets for hackers.

“As we’ve seen with Sony, one hack buys me millions of identities,” he says. “The cloud vendors are painting targets on their backs, and the enterprise knows it, and now the consumer is starting to realize it as well. Cloud overall has to start addressing that, from the individual all the way to the largest of enterprises, if it’s going to succeed.”

Best Practices

By paying a third-party vendor to handle tasks such as storage and database management offsite, businesses can save on technology and personnel costs. But Reavis notes that by ceding that control to a cloud provider, corporate customers often ignore their core business practices and risk management policies.

John Block | Botanica | Getty Images

“What we’ve found is some of them have gotten a bit sloppy,” he says. “Because cloud is so easy to provision, enterprises sometimes bypass their central procurement department. The general IT processes that do all the vetting for risk management and security don’t get followed sometimes.”

The Cloud Security Alliance works with standards development organizations to promote best practices for both cloud computing providers and their customers.

“Providers have a responsibility to be a lot more transparent in exactly what they’re doing—how they’re securing systems, how they’re managing data, how they delete data, how they provision systems,” Reavis says.

“And customers have to understand that they can’t just throw all of the security and compliance concerns to the provider; they have a responsibility, as well, to ask for the right things, to understand their risk management responsibilities, because you can’t outsource that.”

Heiser says initiatives from the Cloud Security Alliance and other organizations are a good start, but that the industry is still a long way off from a consensus.

“We’ve got multiple initiatives that attempt to encapsulate a set of concerns about this computing model and provide a systematic way to determine if a provider is adequately addressing those concerns,” he says. “I view all of these as a noble experiment, but it would unrealistic to expect we’d get it right the first round. This is a work in progress for the next five years.”

Adding to the complexity is the need for some industries to comply with government or industry regulations. The health care industryappears to be a prime candidate to benefit from cloud computing, particularly as electronic medical records become the norm. But health care companies are bound by the Health Insurance Portability and Accountability Act, HIPAA, for protecting personal health information.

“Amazon announced in December that their cloud met PCI certification for the credit card payment industry, so that creates some level of comfort for credit card processors to use that cloud,” he says. “We’re going to continue to build on that sort of thing to provide more robust certifications that providers can use.”

New Business Models Emerging

Security concerns and regulatory compliance are hastening the need for new cloud computing business models, according to Woloszyn.

Cloud Computing - A CNBC Special Report

He notes that regulations in Switzerland forbid banks from using cloud services because customer data cannot leave its jurisdiction. But he says PerspecSys’ solution allows a Swiss bank customer to use Salesforce.com’scustomer relationship management application while keeping all personal customer data behind the company’s firewall.

Woloszyn says PerspecSys is exploring a similar solution for consumer cloud applications like Google Docs and Microsoft’s Windows Live.

“The sensitive data is staying within the customer’s enterprise, just like an on-premise application,” Woloszyn explains. “But from the end-user’s perspective, they’re getting all the benefits of a cloud application. The whole delivery model is going to have to mature to a more hybrid approach that gives some of that control back to the enterprise so they can mitigate their own risks.”